a

#,�e^k�@sJ
dd
lm
Z
mZ
ddlmZmZ
ddlmZmZ
ddlmZmZ
ddl	m
Z

ddlmZm
Z

eddd	d
�edddd
�edddd
�ed
dd	d
�edddd
�edddd
�edddd
�edddd
�eddd	d
�eddd	d
�edd	d	d
�edd	d	d
�d�Zgd�
ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd�d�ZGd d!�d!�Zd
S)"�)�JWException�
JWKeyNotFound)�JWSEHeaderParameter�JWSEHeaderRegistry)�base64url_decode�base64url_encode)�json_decode�json_encode)
�JWA)�JWK�JWKSetZ	AlgorithmFTNzJWK Set URLzJSON Web KeyzKey IDz	X.509 URLzX.509 Certificate Chainz"X.509 Certificate SHA-1 Thumbprintz$X.509 Certificate SHA-256 Thumbprint�TypezContent TypeZCriticalzBase64url-Encode Payload)�algZjkuZjwk�kidZx5uZx5cZx5tzx5t#S256�typZcty�crit�b64)ZHS256ZHS384ZHS512ZRS256ZRS384ZRS512ZES256ZES384ZES512ZPS256ZPS384ZPS512ZEdDSAZES256Kcs"eZ
dZd
Zd�f
dd�	Z�ZS)�InvalidJWSSignaturez_Invalid JWS Signature.

    This exception is raised when a signature cannot be validated.
    Ncs>d}|
rt|
�
}nd
}|r*|dt|�
7}t
t|��|�

dS)Nz&Unknown Signature Verification Failure� {%s})�str�superr�__init__��self�message�	exception�msg�
�	__class__��0/usr/lib/python3.9/site-packages/jwcrypto/jws.pyr+s






zInvalidJWSSignature.__init__)NN��__name__�
__module__�__qualname__�__doc__r�
__classcell__rrrr r%s
rcs"eZ
dZd
Zd�f
dd�	Z�ZS)�InvalidJWSObjectzvInvalid JWS Object.

    This exception is raised when the JWS Object is invalid and/or
    improperly formatted.
    Ncs<d
}|
r|d|
7}|r(|dt|�
7}t
t|��|�

dS)NzInvalid JWS Objectz [%s]r)rrr'rrrrr r=s





zInvalidJWSObject.__init__)NNr!rrrr r'6s
r'cs"eZ
dZd
Zd�f
dd�	Z�ZS)�InvalidJWSOperationz�Invalid JWS Object.

    This exception is raised when a requested operation cannot
    be execute due to unsatisfied conditions.
    Ncs:d}|
r|
}nd
}|r&|dt|�
7}t
t|��|�

dS)NzUnknown Operation Failurer)rrr(rrrrr rMs





zInvalidJWSOperation.__init__)NNr!rrrr r(Fs
r(c@s:eZ
dZd
Zd
dd�
Zdd�Zdd�Zd	d
�Zdd�ZdS)�JWSCorez�The inner JWS Core object.

    This object SHOULD NOT be used directly, the JWS object should be
    used instead as JWS perform necessary checks on the validity of
    the object and requested operations.

    NcCsl|
|_|�
|
|�|_||_|d
u
rPt|t�r4t|�
}t|�
|_t	|�
d�
�
|_ni|_d|_|�|�
|_
d
S)aCore JWS token handling.

        :param alg: The algorithm used to produce the signature.
            See RFC 7518
        :param key: A (:class:`jwcrypto.jwk.JWK`) verification or
         a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the
         'kid' header. A JWKSet is allowed only for verification operations.
        :param header: A JSON string representing the protected header.
        :param payload(bytes): An arbitrary value
        :param algs: An optional list of allowed algorithms

        :raises ValueError: if the key is not a (:class:`jwcrypto.jwk.JWK`)
        :raises InvalidJWAAlgorithm: if the algorithm is not valid, is
            unknown or otherwise not yet implemented.
        :raises InvalidJWSOperation: if the algorithm is not allowed.
        N�utf-8�)r�_jwa�engine�key�
isinstance�dictr	r�headerr�encode�	protected�_payload�payload)rrr.r1r5�algsrrr ras







zJWSCore.__init__cCs&|durt}|
|v
rt
d
�
�
t�|
�
S)NzAlgorithm not allowed)�default_allowed_algsr(r
Zsigning_alg)r�name�allowedrrr r,�s





zJWSCore._jwacCs8|j�
d
d�rt|
�
�d�
St|
t�r*|
S|
�d�
SdS)NrTr*)r1�getrr2r/�bytes�rr5rrr r4�s




zJWSCore._payloadc
CsPt|j
t�std
�
�
d�|j�d�
|jg�
}
|j�	|j
|
�}|j|jt
|�
d�S)zGenerates a signaturezkey is not a JWK object�
.r*)r3r5�	signature)r/r.r�
ValueError�joinr3r2r5r-�signr)r�siginr>rrr rA�s


�


�zJWSCore.signc
Csbz.d
�|j
�d�
|jg�
}|j�|j||
�
Wn.ty\
}
ztd�
|�WYd}~n
d}~00dS)z�Verifies a signature

        :raises InvalidJWSSignature: if the verification fails.

        :return: Returns True or an Exception
        :rtype: `bool`
        r=r*zVerification failedNT)	r@r3r2r5r-�verifyr.�	Exceptionr)rr>rB�
errr rC�s

�

 
zJWSCore.verify)
N)	r"r#r$r%rr,r4rArCrrrr r)Xs

!	r)c@s�eZ
dZd
Zd+dd�
Zedd��
Zejdd��
Zedd	��
Zd
d�Z	d,dd
�
Z
dd�Zd-dd�
Zdd�Z
dd�Zd.dd�
Zd/dd�
Zd0dd�
Zedd��
Zdd �Zed!d"��
Zed#d$��
Zd%d&�Zd'd(�Zd)d*�ZdS)1�JWSzFJSON Web Signature object

    This object represent a JWS token.
    NcCs:i|_|
|jd
<d|_
d|_tt�
|_|r6|j�|�

dS)z�Creates a JWS object.

        :param payload(bytes): An arbitrary value (optional).
        :param header_registry: Optional additions to the header registry
        r5N)�objects�	verifylog�
_allowed_algsr�JWSHeaderRegistry�header_registry�update)rr5rKrrr r�s







zJWS.__init__c


Cs|jr|jSt
Sd
S)z�Allowed algorithms.

        The list of allowed algorithms.
        Can be changed by setting a list of algorithm names.
        N)rIr7�
rrrr �allowed_algs�s
zJWS.allowed_algscCst|
t
�std
�
�
|
|_dS)NzAllowed Algs must be a list)r/�list�	TypeErrorrI)rr6rrr rN�s


c

Cs|j�
d
d�S)N�validF)rGr:rMrrr �is_valid�szJWS.is_validcGs
d}g}|
du
r|d
|
vrZ|
d
}|D]4}||jv
r@t
d|�
�
q$|j|js$t
d|�
�
q$|
}d|vr|t|dt�s|t
d�
�
|D]l}|dur�q�|dur�i}t|���
D]:}||jvr�|j|jr�t
d|�
�
||vr�t
d|�
�
q�|�|�

q�|D]}||v
r�t
d|�
�
q�|S)	NrzUnknown critical header: "%s"z!Unsupported critical header: "%s"rzb64 header must be a booleanz"%s" must be protectedzDuplicate header: "%s"zMissing critical header "%s")	rKr'Z	supportedr/�boolrO�keysZmustprotectrL)rr3Zheadersr1r�
kZhn�
hrrr �_merge_check_headers�sD








�

�
















zJWS._merge_check_headerscCs�
i}|du
r&t|�
}t
|t�s&td
�
�
|r<t
|t�s<td�
�
|�||�}|D]$}	|	|jvrL|j�|	|�sLtd�
�
qL|
dur�d|v
r�td�
�
|
r�d|vr�|
|dkr�td|
�d|d�d��
�
|
}
n|d}
t
|t�r�t|
||||j	�}|�
|�

|j�d	�

n�t
|t
��
r�|}d
|jv�
rH|�|jd
�
}
|
�
sDtd�|jd
�
�
�
|
}|D]�}z4t|
||||j	�}|�
|�

|j�d	�

W
�
q�WnNt�
y�
}
z4|�d
|���}|j�d�|t|�
��

WYd}~n
d}~00�
qLd	|jv
�
r�td
�
�
ntd�
�
dS)NzInvalid Protected headerzInvalid Unprotected headerzFailed header checkrzNo "alg" in headersz"alg" mismatch, requested "z
", found "�
"ZSuccessrzKey ID {} not in key setzKey [{}] failed: [{}]�No working key found in key setzUnrecognized key type)rr/r0rrWrKZcheck_headerrr)rIrCrH�appendr�jose_headerZget_keysr�formatrDr:Z
thumbprint�reprr?)rrr.r5r>r3r1�
pZchk_hdrsZhdrZ
resulting_algZsignerrTZkid_keysrUZsigner2rEZkeyidrrr �_verify
st



















�
��


�








�



�







� 

zJWS._verifycCs6|
�d
�
}|du
r2|dus&t
|�
dkr*|Std�
�
|S)Nr5r
z4Object Payload present but Detached Payload provided)r:�lenr()r�objZdp�oprrr �_get_obj_payloadE
s




zJWS._get_obj_payloadc	Cs�
g|_d
|j
d<|j
}d
}d|vr�|�||�}z4|�||
||d|�dd�|�dd��
d|d<WnFty�
}
z.t|t�r�d}|j�dt	|�
�

WYd}~n
d}~00n�d	|v�
rR|�||�}|d	D]�}z4|�||
||d|�dd�|�dd��
d|d<Wq�t�
yL
}
z0t|t��
r$d}|j�dt	|�
�

WYd}~q�d}~00q�nt
d
�
�
|j�
s�|�
rptd�
�
t
dt	|j�
�
�
dS)
a
Verifies a JWS token.

        :param key: A (:class:`jwcrypto.jwk.JWK`) verification or
         a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the
         'kid' header.
        :param alg: The signing algorithm (optional). Usually the algorithm
            is known as it is provided with the JOSE Headers of the token.
        :param detached_payload: A detached payload to verify the signature
            against. Only valid for tokens that are not carrying a payload.

        :raises InvalidJWSSignature: if the verification fails.
        :raises InvalidJWSOperation: if a detached_payload is provided but
                                     an object payload exists
        :raises JWKeyNotFound: if key is a JWKSet and the key is not found.
        FrQr>r3Nr1TzFailed: [%s]�
signatureszNo signatures availablerYz&Verification failed for all signatures)rHrGrcr_r:rDr/rrZr]rrR)	rr.rZdetached_payloadraZ
missingkeyr5rE�
orrr rCO
sP













�




,










�



.



�z
JWS.verifycCsRd
tt
|
d
�
�
i
}d|
vr:tt
|
d�
�
}|�d�
|d<d|
vrN|
d|d<|S)Nr>r3r*r1)rr�decode)r�
srer^rrr �_deserialize_signature�
s






zJWS._deserialize_signaturecCsn|durd}n,t|�
}|�
d
�
}|du
r:t|t�s:td�
�
|
�
d
�
}||krPdS|durb||
d
<ntd�
�
dS)Nrzb64 header must be booleanzconflicting b64 values)rr:r/rSr')rrer3Zb64nr^rrrr �_deserialize_b64�
s














zJWS._deserialize_b64c
Cs�
i|_i}�
zLz�t
|
�
}d
|vrbg|d
<|d
D].}|�|�
}|d
�|�

|�||�d�
�
q0n|�|�
}|�||�d�
�
d|vr�|�dd�r�tt|d�
�
|d<n|d|d<Wn�t�
yN


|
�	d�
}t
|�
dkr�td�
d	�tt|d
�
�
}	t
|	�
d
k�
r"|	�d�
|d<|�||d�
tt|d�
�
|d<tt|d
�
�
|d<Yn0||_Wn0t
�
y�
}

ztd�
|
�WYd	}
~
n
d	}
~
00|�
r�|�||�
d	S)awDeserialize a JWS token.

        NOTE: Destroys any current status and tries to import the raw
        JWS provided.

        If a key is provided a verification step will be attempted after
        the object is successfully deserialized.

        :param raw_jws: a 'raw' JWS token (JSON Encoded or Compact
         notation) string.
        :param key: A (:class:`jwcrypto.jwk.JWK`) verification or
         a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed by the
         'kid' header (optional).
        :param alg: The signing algorithm (optional). Usually the algorithm
         is known as it is provided with the JOSE Headers of the token.

        :raises InvalidJWSObject: if the raw object is an invalid JWS token.
        :raises InvalidJWSSignature: if the verification fails.
        :raises JWKeyNotFound: if key is a JWKSet and the key is not found.
        rdr3r5rT�
.�zUnrecognized representationNr
r*�
�r>zInvalid format)rGrrhrZrir:rrr?�splitr`r'rfrDrC)rZraw_jwsr.rreZdjwsrg�os�datar^rErrr �deserialize�
sD



















�






 
zJWS.deserializec
Csd
}|r$t|t
�rt|�
}t|�
}nt
�}dt|���
vr^|�dg�}d|v
rVtd�
�
|d}d|jvr~||jdkr~td�
�
d}|r�t|t
�r�t|�
}t|�
}|�	||�}d|vr�|dur�|d}n||dkr�t
d�
�
|dur�t
d	�
�
t||
||j�d
�
|j�}	|	�
�}
t|
d�
d
d�}|�
r,||d
<|�
r:||d<d|jv�
rX|jd�|�

n�d|jv�
r�g|jd<d|j�d�
i
}d
|jv�
r�|j�d
�
|d
<d|jv�
r�|j�d�
|d<d|jv�
r�|j�d�
|d<|jd�|�

|jd�|�

n|j�|�

||jd<dS)a Adds a new signature to the object.

        :param key: A (:class:`jwcrypto.jwk.JWK`) key of appropriate for
         the "alg" provided.
        :param alg: An optional algorithm name. If already provided as an
         element of the protected or unprotected header it can be safely
         omitted.
        :param protected: The Protected Header (optional)
        :param header: The Unprotected Header (optional)

        :raises InvalidJWSObject: if invalid headers are provided.
        :raises ValueError: if the key is not a (:class:`jwcrypto.jwk.JWK`)
        :raises ValueError: if the algorithm is missing or is not provided
         by one of the headers.
        :raises InvalidJWAAlgorithm: if the algorithm is not valid, is
         unknown or otherwise not yet implemented.
        Trrz"b64 header must always be criticalzMixed b64 headers on signaturesNrzF"alg" value mismatch, specified "alg" does not match JOSE header valuez"alg" not specifiedr5r>)r>rQr3r1rdrQ)r/r0r	rrOrTr:r'rGrWr?r)rNrArrZ�poprL)
rr.rr3r1rr^rrV�
c�sigre�
nrrr �
add_signature�
sl






















�

�
















zJWS.add_signatureFc	CsX|
�
rd
|jvrt
d�
�
d|jv
r*td�
�
|j�dd�s@td�
�
d|jvrxt|jd�
}d	|v
rht
d
�
�
t|jd�
}nt
d�
�
|j�d�
r�|j�d
d�r�t|jd�
}q�t|jdt�r�|jd�d�
}n
|jd}d|vr�t
d�
�
nd}d�	||t|jd�
g�
S|j}i}|j�dd�}|j�d
d��
r<t|�
|d<n||d<d|v�
r�|�dd��
sdtd�
�
t|d�
|d<d|v�
r�t|d�
|d<d|v�rL|d|d<n�d
|v�rDg|d
<|d
D]f}|�dd��
s֐
q�dt|d�
i
}d|v�rt|d�
|d<d|v�r|d|d<|d
�
|�

�
q�t|d
�
dk�rLtd�
�
ntd�
�
t|�
SdS)aSerializes the object into a JWS token.

        :param compact(boolean): if True generates the compact
         representation, otherwise generates a standard JSON format.

        :raises InvalidJWSOperation: if the object cannot serialized
         with the compact representation and `compact` is True.
        :raises InvalidJWSSignature: if no signature has been added
         to the object, or no valid signature can be found.

        :return: A json formatted string or a compact representation string
        :rtype: `str`
        rdz3Can't use compact encoding with multiple signaturesr>zNo available signaturerQFzNo valid signature foundr3rz5Compact encoding must carry 'alg' in protected headerz3Can't use compact encoding without protected headerr5rTr*rjzKCan't use compact encoding with unencoded payload that uses the . characterr+r1r
N)
rGr(rr:rrr/r;rfr@rZr`r	)	rZcompactr^r3r5rartrergrrr �	serialize=sp


















�

�
































z
JWS.serializec

Cs|jst
d
�
�
|j�d�
S)NzPayload not verifiedr5)rRr(rGr:rMrrr r5�s

zJWS.payloadc

Cs|j�
d
d�
dS)Nr5)rGrrrMrrr �detach_payload�s
zJWS.detach_payloadc
Cs�|j}
d
|
vr<d|
vr$t
|
d�
}nd}|�||
�di��Sd|jvr�g}|
dD]@}i}d|vrpt
|d�
}nd}|�||�di��}|�|�

qR|Std�
�
dS)Nr>r3r1rdzJOSE Header(s) not available)rGrrWr:rZr()rrar^ZjhlreZjhrrr r[�s"













zJWS.jose_headercCs|�}|�|
�

|S)
a
Creates a JWS object from a serialized JWS token.

        :param token: A string with the json or compat representation
         of the token.

        :raises InvalidJWSObject: if the raw object is an invalid JWS token.

        :return: A JWS token
        :rtype: JWS
        )
rq)�cls�tokenrarrr �from_jose_token�s



zJWS.from_jose_tokencCsDt|
t
�sd
Sz|��|
��kWSty>


|j|
jkYS0dS)NF)r/rFrwrDrG)r�otherrrr �__eq__�s






z
JWS.__eq__c

Cs*z
|��WSt
y$


|��YS0dS)
N)rwrD�__repr__rMrrr �__str__�s




zJWS.__str__c
CsFzd
|���d�WSt
y@


|jd�d�
}
d|
�d�YS0dS)NzJWS.from_json_token("z")r5r*zJWS(payload=�
))rwrDrGrfr<rrr r~�s





zJWS.__repr__)NN)
N)NN)NN)NNN)
F)r"r#r$r%r�propertyrN�setterrRrWr_rcrCrhrirqrvrwr5rxr[�classmethodr{r}rr~rrrr rF�s6







'
C

;	
>
[
P





rF)Zjwcrypto.commonrrrrrrrr	Zjwcrypto.jwar
Zjwcrypto.jwkrrrJr7rr'r(r)rFrrrr �<module>s8











�
�


�	V